GRC 2018: Gearing up for GDPR and regtech innovations

The growing involvement of third parties in business operations, increasingly sophisticated cyber attacks, and the fast-changing regulatory landscape are making the businesses look for a more strategic and structured approach to governance, risk and compliance (GRC).

As the new EU General Data Protection Regulation will come into effect in May 2018, it will throw a number of new challenges for businesses. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

French Caldwell, Chief Evangelist, Marketing, MetricStream predicts the consequences and also highlight the major tech trends that GRC vendors are likely to invest heavily in for 2018.

-In 2018 under the new EU data protection regulation, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects

The new EU General Data Protection Regulation (GDPR) expands the rights of EU citizens with several new rules, including the right to rectification, the right to erasure, the right to object, and the right to restrict processing. Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints. Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive. To prepare, data controllers should have robust case management processes in place, and they should ensure that their third-party data processors do as well. Likewise, privacy authorities should evaluate their complaint management processes, and ensure they are ready for a large surge.

-By mid-2019, the first €1 million or more penalty under GDPR will be levied

In the event of a data breach, the new EU GDPR regulation provides for large penalties – up to 4% of revenues, or €20 million, whichever is larger. With the number of data breaches growing, it’s just a matter of time before a large breach occurs. While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR, European privacy authorities are under a very public spotlight. The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting the incident. While Europe has had many fewer reported data breaches than the U.S., that could change with the mandatory requirement under GDPR to report breaches within 72 hours of becoming aware of them. The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.

The growing influence of technology in GRC:

-In 2018 and 2019, ‘Regtech’ will emerge as the primary driver of technological innovation in the GRC market

Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regtech(regulatory technology) is starting to impact the research and development (R&D) investments of major GRC providers. Artificial intelligence and machine learning, applied to both unstructured and structured data to discover new risk and threat insights, are the obvious technical leaders of innovation, but not the only ones. Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets, and other data objects. Hybrid machine-human scoring of third-party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs. Facial recognition will provide a new means of assurance for data access and separation of duties. To gain a competitive advantage, GRC vendors will increase funding for regtech initiatives both organically and through acquisitions.